Securing health exchange data

It’s ironic this year that National Cybersecurity Awareness Month falls in October, because come Oct. 1, the new health insurance exchanges established under the Affordable Care Act go “live” — and they will unleash a host of new cyberactivity and cybersecurity threats that our health care system is not yet equipped to handle.

The exchange system — a network of state and federally operated online marketplaces where Americans will be able to compare, select and enroll in public and private health plans — will require collecting, sharing and storing a trove of sensitive personal and health-related information, putting it at serious risk of being compromised if the system and all of its many parts are not secure. Determination of eligibility for exchange products and associated government subsidies will be facilitated through the Federal Data Services Hub, a single interface that will connect to and obtain data from sources including the Centers for Medicare & Medicaid Services, the Social Security Administration, the Internal Revenue Service, the Veterans Health Administration and the Department of Homeland Security. In other words, the exchange network is not a unified behemoth operated only by the federal government; it encompasses a web of complex interactions and transactions among hundreds of entities. Come October, all will be at risk of a cyberattack.

Story Continued Below

With all the publicity given to exchanges, the question is not whether the exchange network will be targeted by hackers — who might seek to steal personal financial and health information, for instance, or to disrupt system operations. Instead, the question is when and where the attacks will occur. Congressional and media attention has focused on the center of operations — the Federal Data Hub. This attention is warranted, as exchanges in all 50 states and the District of Columbia, most of them federally operated, will connect to the hub. But both the state exchanges and the Federal Data Hub also connect to state Medicaid programs and a host of private entities, including insurance carriers, Web brokers, navigators and traditional agents and brokers. Technology and service vendors are supporting these operations at every level. That’s a whole lot of points of entry for potential hackers.

Many of these entities have robust cybersecurity programs and incident response plans in place that can be updated and modified to address new exchange-related requirements, and many entities undoubtedly have beefed up their cybersecurity programs in anticipation of the Oct. 1 start date. But many others will soon face a level of cyberthreat not typical for their current day-to-day operations, becoming a target for hackers seeking to tap a vast quantity of sensitive personal data or to cripple the Obamacare initiative. An analysis by McKinsey & Co. of the insurance filings for exchanges in 47 states shows that 26 percent of the insurance carriers are operating in new markets. Except in a few instances, traditional brokers have very limited experience working with online health insurance exchanges for sales and government subsidy determination, and the Web brokers that will be operating as arms of the federal exchanges are largely new federal government contractors. All will enter a high-visibility cyber environment when they start operations in October and should plan accordingly.

For everyone in the exchange universe, whether a government entity or a private company, the smart course of action is to conduct an assessment of cybersecurity readiness before entering the exchange network. Readiness in this case is multipronged, and the risks are significant. Best practice is not merely a self-assessment by an internal information technology team, but an independent and objective review conducted by outside technical and legal experts that includes a cybersecurity compliance audit; verification of a robust cyber-breach notification and response plan; and real-world vulnerability testing, such as having ethical hackers attempt to penetrate the entity’s systems, or using social engineering tactics like phishing to see whether employees can be manipulated into jeopardizing security.

Part of the problem is that there is currently no formal cybersecurity checklist from the government for members of the exchange system. While the CMS has issued a series of security guidance documents, as well as formal regulations related to privacy and security, the guidance makes clear that there is no single integrated, comprehensive approach to cybersecurity that satisfies all potential requirements. Exchanges, and the many entities connecting to them, are responsible for complying with all applicable federal and state data security and privacy laws, as well as any contractual requirements — which in some instances are still evolving. Those operating in the exchange network would be wise to carefully structure programs around the cybersecurity obligations that are mandated by law and contract and the practices that are best suited for their particular situation.

Much controversy surrounds the startup of exchanges, but the need for information flowing through exchanges to be secure is not up for debate. The responsibility falls on everyone operating in the exchange environment, not just the federal government. Regardless of where hackers first penetrate the exchange system, any breach would hurt American businesses and families, and any security failure also would undoubtedly be highly publicized by the media. In other words, for everyone operating in the new exchange world, this October truly should be Cybersecurity Awareness Month.

Cindy Gillespie is a senior managing director and Elizabeth Ferrell is a partner at McKenna Long & Aldridge. Gillespie leads the firm’s exchange practice and served as counselor to Gov. Mitt Romney during the development of Massachusetts Health Care Reform. Ferrell co-chairs MLA’s cybersecurity practice and serves as vice-chairwoman of the ABA Public Contract Law Section’s Cybersecurity, Privacy & Data Protection Committee.